Security researcher slams major vendors.
A security researcher who pioneered the use of vulnerability scanners in computing has accused the likes of Dell, Hewlett-Packard and IBM of peddling servers that are "vulnerable by default".
Writing in a white paper Dan Farmer claimed that a scan of the intelligent platform management interface (IPMI) that allows system administrators to manage computers without using an OS had revealed 230,000 microcontrollers exposed to the internet, with 90% capable of being compromised through basic weaknesses.
He said: "For over a decade major server manufacturers have harmed their customers by shipping servers that are vulnerable by default, with a management protocol that is insecure by design, and with little to no documentation about how to make things better."
IPMI is used as a basic piece of software by vendors who later add services such as mail and network management protocols. The associated baseboard management controller (BMC) has considerable oversight of networks it is attached to, creating the opportunity for extensive hacking.
University of Michigan researchers had raised concerns in a paper last year, saying they believe potential attacks could include the installation of spyware, rootkits providing unlogged backdoor access, and botnets for use in other attacks.
"While only a quarter of a million BMCs is only a tiny sliver of the total computing power in the world, it’s still an important indicator as a kind of canary in the coalmine," Farmer added.
"All the services that make the Internet so vital to our daily lives are powered by servers hiding behind the curtains of corporate firewalls."
He advised systems administrators not to put a managed network port on the internet unless it is strictly necessary, to rotate IPMI passwords frequently, and to increase password length.